OT: Cross-site Scripting - Articles and Tools

Last week's (May, 6th 2002) Security Adviser article in InfoWorld was near and (not so) dear to my heart and hopefully yours.

Mandy Andress goes over many of the points we have discussed here at the Monastary, and some new points, but also brings it home with some very public examples (eg. eBay, Cybercash, VeriSign).

She also directly mention sites like here (sites for coders) where preventing CSS attacks, becomes a game of balance between your user's freedom and thier security. Hat's off to the developers here for working on that balance.

There are some other interesting links in her article

cross_site_scripting.archive.html - This page details sites who are open to CSS attacks *including AOL, and Real.com* this page is run by SkyLined a self professed h4x0r

community.whitehatsec.com - Who has just released thier Linux-based WhiteHat Arsenal 1.05 test suite for profiling your site against CSS attacks

Hopefully this article shows to all that this problem is not going away. So if you developing a website and take user input to be displayed. You should read this.

grep

Unix - where you can throw the manual on the keyboard and get a command

Comment on OT: Cross-site Scripting - Articles and Tools

Replies are listed 'Best First'.
Re: OT: Cross-site Scripting - Articles and Tools by greenFox (Vicar) on May 13, 2002 at 10:48 UTC
Personally I found the CERT advisories much more informative (or at least it was in language I understood :) CERTŽ Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests Understanding Malicious Content Mitigation for Web Developers I am wondering if there is a good reason why cgi.pm would not specify a character encoding by default. If someone needed a specific other character encoding it would be easily manually overridable and every-one else gets a bit more protection for free. -- my $chainsaw = 'Perl';	[reply]
Re: OT: Cross-site Scripting - Articles and Tools by cjf (Parson) on May 13, 2002 at 11:20 UTC
Usually when people talk about cross-site scripting attacks they refer to someone posting malicious code to a website in hopes of exploiting the browser vulnerabilities of other visitors. What's often overlooked is using the visitor to submit bad information to a vulnerable script on (or off) the site. This is easily done through adding a link with some extras attached to the query string, or adding a form with a few extra parameters. Maybe those buttons you click on people's homenodes could be sending less than nice stuff to certain scripts? Of course, if everyone was adequately paranoid and Didn't trust user input, this wouldn't be as big of a problem as it is.	[reply]
Re: OT: Cross-site Scripting - Articles and Tools by cLive ;-) (Prior) on May 13, 2002 at 08:07 UTC
< s c r i p t l a n g u a g e = " J a v a s c r i p t " > a l e r t ( " I s e e w h a t y o u m e a n " ) < / s c r i p t > cLive ;-) apologies - this is probably the geekiest joke I've ever tried to make...	[reply]
Re: Re: OT: Cross-site Scripting - Articles and Tools by mrbbking (Hermit) on May 13, 2002 at 12:21 UTC
tee hee hee... foreach( split / /, "< s c r i p t " ." l a n g u a g e " ."= " J a v a s c r i +" ."p t " > a l e r t " ."( " I s e e w h + " ."a t y o u m e " ."a n " ) < / s c r i +" ."p t >"){ /(\d+)/; print chr( $1 ); } [download] Update: to clarify that this is to interpret Re: OT: Cross-site Scripting - Articles and Tools. The `&#...?;` stuff is cLive ;-)'s, not mine.	[reply] [d/l]